Decades-old rules to protect telephone user privacy will now cover one half of the internet privacy ecosystem, a result of Congress’s April repeal of strict FCC broadband privacy regulations.
Shortly before the July 4 holiday the Federal Communications Commission passed an order officially subjecting internet service providers (ISPs) like Comcast and Verizon to privacy rules that govern how telephone providers treat customer information. The move comes after Congress repealed Obama-era FCC rules in April that subjected ISPs to tough internet-specific rules against collecting user data, like browsing history, without user permission.
“Because Congress has invalidated the 2016 Privacy Order, we simply make clear that the privacy rules that were in effect prior to 2016 are once again effective,” FCC Chairman Ajit Pai said.
The rules requiring ISPs to get opt-in consent from broadband subscribers before collecting their browsing and app usage data never took effect. Passed in late 2016, Pai, who voted against the rules as a Republican commissioner, suspended them shortly after being appointed by President Donald Trump to chair the FCC. Soon after, Congressional Republicans used the Congressional Review Act to repeal the rules altogether, barring the FCC from passing substantially similar rules in the future.
Instead, the FCC will now use Section 222 of the 1934 Communications Act to police ISP privacy. Under Section 222, ISPs with access to customer proprietary network information (CPNI) can use “aggregate customer information” for marketing provided “individual customer identities and characteristics have been removed,” meaning ISPs can still collect and monetize browsing information for targeted advertising — something they would’ve been unable to do under the repealed rules without customer permission.
While Section 222 doesn’t establish the hardline rules against data gathering and monetization repealed by congressional Republicans, it does give the FCC authority to enforce privacy practices on a case-by-case basis, determining violations as they occur.
“That’s not some crazy Republican idea,” explained Berin Szoka, president of the conservative think-tank TechFreedom in a Hill op-ed. “That’s how the Democratic FCC handled privacy over the last two years — at least, before the formal regulations were issued in October.”
Critics of the change say it won’t protect user privacy as effectively, since the FCC will only be able to examine complaints filed by users after they occur, rather than blocking specific practices right out of the gate.
Pai said the order acknowledging the congressional repeal and formally noting Section 222 authority over ISPs was supposed to be routine, but the agency held a vote on the matter at the request of Democrat Commissioner Mignon Clyburn. Clyburn, the only commissioner left who supported the 2016 rules, voted in favor but dissented generally over the direction the FCC is charting on privacy.
The Democrat said the FCC should have included new requirements for broadband providers in the order and that it was sad to see the agency “continue to give broadband providers a hall pass.”
Clyburn accused Pai of “taking a weed-whacker to rules to the detriment of regulatory certainty. She added the order was more evidence of Republicans’ plan to undo net neutrality rules that reclassified ISPs as FCC-regulated utilities “and that they are willing to leave broadband consumers without privacy protections while this work is ongoing.”
Pai said he was “perplexed” by Clyburn’s partial dissent, since she asked for the vote but never suggested changes beforehand.
“When a Commissioner does not share her concerns about an item until after she casts her vote, it makes it difficult to work
together to find common ground,” the chairman said.
If Pai’s net neutrality rollback is passed later this year, ISPs will no longer fall under the FCC’s authority, and go back to privacy regulation under the Federal Trade Commission — a goal shared by both Pai and Acting FTC Chairwoman Maureen Ohlhausen.
But the repeal of the 2016 rules wasn’t concession enough for ISPs. The trade group USTelecom, whose members include AT&T and Verizon, has already filed comments to the FCC saying it shouldn’t be bound by Section 222.
“All commercial entities with access to call-detail data were generally telecommunications carriers subject to Section 222, and there were no unregulated companies collecting the same information for marketing purposes,” USTelecom told the FCC in 2016. “Consumer expectations about the data uses on that closed network thus have no bearing on their quite different expectations about the use of data on the open internet, where unregulated online companies routinely make extensive use of the very same data that the Order hamstrings ISPs—and them alone—from using.”
Even Pai’s fellow Republican Commissioner Michael O’Rielly disagrees, saying “there is no independent authority in Section 222 to regulate privacy or data security, regardless of the technology,” and that “the categories of information that the [2016 rules] ma[kes] up within Section 222 — ‘customer proprietary information’ and its subset ‘personally identifiable information’ — are outside the scope of the provision.”
The debate isn’t likely to last. In addition to Pai’s plan to scale back net neutrality, House Republicans are working on a bill to enact the same 2016 FCC privacy rules over ISPs and edge providers — websites like Google and Facebook, who dominate the targeted advertising market. The bill also puts ISPs back under the FTC’s privacy regime.
